fix: verify that bc works with approved_only mode set

.github/scripts/verify_assertions_basic.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "basic assertions"
+printf 'here is some data to encrypt' > data
+
+ASSERTIONS='[{"id":"assertion1","type":"handling","scope":"tdo","appliesToState":"encrypted","statement":{"format":"json+stanag5636","schema":"urn:nato:stanag:5636:A:1:elements:json","value":"{\"ocl\":\"2024-10-21T20:47:36Z\"}"}}]'
+
+java -jar target/cmdline.jar \
+  --client-id=opentdf-sdk \
+  --client-secret=secret \
+  --platform-endpoint=http://localhost:8080 \
+  -h \
+  encrypt \
+  --kas-url=http://localhost:8080 \
+  --mime-type=text/plain \
+  --with-assertions="$ASSERTIONS" \
+  --autoconfigure=false \
+  -f data \
+  -m 'here is some metadata' > test.tdf
+
+java -jar target/cmdline.jar \
+  --client-id=opentdf-sdk \
+  --client-secret=secret \
+  --platform-endpoint=http://localhost:8080 \
+  -h \
+  decrypt \
+  -f test.tdf > decrypted
+
+if ! diff -q data decrypted; then
+  printf 'decrypted data is incorrect [%s]\n' "$(< decrypted)"
+  exit 1
+fi
+

.github/scripts/verify_assertions_hs256.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "hs256 assertions"
+printf 'here is some data to encrypt' > data
+
+HS256_KEY=$(openssl rand -base64 32)
+SIGNED_ASSERTIONS_HS256='[{"id":"assertion1","type":"handling","scope":"tdo","appliesToState":"encrypted","statement":{"format":"json+stanag5636","schema":"urn:nato:stanag:5636:A:1:elements:json","value":"{\"ocl\":\"2024-10-21T20:47:36Z\"}"},"signingKey":{"alg":"HS256","key":"'"$HS256_KEY"'"}}]'
+SIGNED_ASSERTION_VERIFICATON_HS256='{"keys":{"assertion1":{"alg":"HS256","key":"'"$HS256_KEY"'"}}}'
+
+java -jar target/cmdline.jar \
+  --client-id=opentdf-sdk \
+  --client-secret=secret \
+  --platform-endpoint=http://localhost:8080 \
+  -h \
+  encrypt \
+  --kas-url=http://localhost:8080 \
+  --mime-type=text/plain \
+  --with-assertions="$SIGNED_ASSERTIONS_HS256" \
+  --autoconfigure=false \
+  -f data \
+  -m 'here is some metadata' > test.tdf
+
+java -jar target/cmdline.jar \
+  --client-id=opentdf-sdk \
+  --client-secret=secret \
+  --platform-endpoint=http://localhost:8080 \
+  -h \
+  decrypt \
+  --with-assertion-verification-keys="$SIGNED_ASSERTION_VERIFICATON_HS256" \
+  -f test.tdf > decrypted
+
+if ! diff -q data decrypted; then
+  printf 'decrypted data is incorrect [%s]\n' "$(< decrypted)"
+  exit 1
+fi

.github/scripts/verify_assertions_rs256.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "rs256 assertions"
+printf 'here is some data to encrypt' > data
+
+openssl genpkey -algorithm RSA -out rs_private_key.pem -pkeyopt rsa_keygen_bits:2048
+openssl rsa -pubout -in rs_private_key.pem -out rs_public_key.pem
+
+RS256_PRIVATE_KEY=$(awk '{printf "%s\\n", $0}' rs_private_key.pem)
+RS256_PUBLIC_KEY=$(awk '{printf "%s\\n", $0}' rs_public_key.pem)
+SIGNED_ASSERTIONS_RS256='[{"id":"assertion1","type":"handling","scope":"tdo","appliesToState":"encrypted","statement":{"format":"json+stanag5636","schema":"urn:nato:stanag:5636:A:1:elements:json","value":"{\"ocl\":\"2024-10-21T20:47:36Z\"}"},"signingKey":{"alg":"RS256","key":"'"$RS256_PRIVATE_KEY"'"}}]'
+SIGNED_ASSERTION_VERIFICATON_RS256='{"keys":{"assertion1":{"alg":"RS256","key":"'"$RS256_PUBLIC_KEY"'"}}}'
+
+java -jar target/cmdline.jar \
+  --client-id=opentdf-sdk \
+  --client-secret=secret \
+  --platform-endpoint=http://localhost:8080 \
+  -h \
+  encrypt \
+  --kas-url=http://localhost:8080 \
+  --mime-type=text/plain \
+  --with-assertions "$SIGNED_ASSERTIONS_RS256" \
+  --autoconfigure=false \
+  -f data \
+  -m 'here is some metadata' > test.tdf
+
+java -jar target/cmdline.jar \
+  --client-id=opentdf-sdk \
+  --client-secret=secret \
+  --platform-endpoint=http://localhost:8080 \
+  -h \
+  decrypt \
+  --with-assertion-verification-keys "$SIGNED_ASSERTION_VERIFICATON_RS256" \
+  -f test.tdf > decrypted
+
+if ! diff -q data decrypted; then
+  printf 'decrypted data is incorrect [%s]\n' "$(< decrypted)"
+  exit 1
+fi
+

.github/scripts/verify_cmdline_roundtrip.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+printf 'here is some data to encrypt' > data
+
+java -jar target/cmdline.jar \
+  --client-id=opentdf-sdk \
+  --client-secret=secret \
+  --platform-endpoint=http://localhost:8080 \
+  -h \
+  encrypt \
+  --kas-url=http://localhost:8080 \
+  --mime-type=text/plain \
+  --attr https://example.com/attr/attr1/value/value1 \
+  --autoconfigure=false \
+  -f data \
+  -m 'here is some metadata' > test.tdf
+
+java -jar target/cmdline.jar \
+  --client-id=opentdf-sdk \
+  --client-secret=secret \
+  --platform-endpoint=http://localhost:8080 \
+  -h \
+  decrypt \
+  -f test.tdf > decrypted
+
+java -jar target/cmdline.jar \
+  --client-id=opentdf-sdk \
+  --client-secret=secret \
+  --platform-endpoint=http://localhost:8080 \
+  -h \
+  metadata \
+  -f test.tdf > metadata
+
+if ! diff -q data decrypted; then
+  printf 'decrypted data is incorrect [%s]\n' "$(< decrypted)"
+  exit 1
+fi
+
+if [ "$(< metadata)" != 'here is some metadata' ]; then
+  printf 'metadata is incorrect [%s]\n' "$(< metadata)"
+  exit 1
+fi
+

.github/workflows/checks.yaml

@@ -92,7 +92,14 @@ jobs:
           BUF_INPUT_HTTPS_PASSWORD: ${{ secrets.PERSONAL_ACCESS_TOKEN_OPENTDF }}
         run: mvn clean --batch-mode clean generate-sources
       - name: Tests and enforcer (fips)
-        run: mvn --batch-mode test enforcer:enforce -P 'fips,!non-fips' -Dmaven.antrun.skip
+        run: |
+          # install the the sdk-fips-bouncycastle jar so that FIPS mode tests work
+          mvn --batch-mode install -pl sdk-fips-bouncycastle -am \
+            -Dmaven.antrun.skip \
+            -Dmaven.test.skip
+          mvn --batch-mode test enforcer:enforce -P 'fips,!non-fips' \
+            -Dmaven.antrun.skip \
+            -Dorg.bouncycastle.fips.approved_only=true
       - name: Tests with coverage and javadoc (non-fips)
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -104,7 +111,15 @@ jobs:
             -P 'coverage,non-fips,!fips'
 
   platform-integration:
+    name: "Platform Integration ${{ matrix.label }}"
     runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        include:
+          - label: ""
+            maven_profile: ""
+          - label: " (FIPS)"
+            maven_profile: "-P 'fips,!non-fips'"
     steps:
       - name: Checkout Java SDK
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -117,12 +132,6 @@ jobs:
           java-version: "17"
           distribution: "temurin"
           server-id: github
-      - name: Build java SDK
-        run: |
-          mvn --batch-mode clean install -DskipTests
-        env:
-          BUF_INPUT_HTTPS_USERNAME: opentdf-bot
-          BUF_INPUT_HTTPS_PASSWORD: ${{ secrets.PERSONAL_ACCESS_TOKEN_OPENTDF }}
 
       - name: Check out and start up platform with deps/containers
         id: run-platform
@@ -137,121 +146,26 @@ jobs:
           grpcurl -plaintext localhost:8080 list && \
           grpcurl -plaintext localhost:8080 kas.AccessService/PublicKey
 
-      - name: Validate the SDK through the command line interface
+      - name: Build java SDK${{ matrix.label }}
         run: |
-          printf 'here is some data to encrypt' > data
-
-          java -jar target/cmdline.jar \
-            --client-id=opentdf-sdk \
-            --client-secret=secret \
-            --platform-endpoint=http://localhost:8080 \
-            -h\
-            encrypt --kas-url=http://localhost:8080 --mime-type=text/plain --attr https://example.com/attr/attr1/value/value1 --autoconfigure=false -f data -m 'here is some metadata' > test.tdf
-
-          java -jar target/cmdline.jar \
-            --client-id=opentdf-sdk \
-            --client-secret=secret \
-            --platform-endpoint=http://localhost:8080 \
-            -h\
-            decrypt -f test.tdf > decrypted
-
-          java -jar target/cmdline.jar \
-            --client-id=opentdf-sdk \
-            --client-secret=secret \
-            --platform-endpoint=http://localhost:8080 \
-            -h\
-            metadata -f test.tdf > metadata
-
-          if ! diff -q data decrypted; then
-            printf 'decrypted data is incorrect [%s]' "$(< decrypted)"
-            exit 1
-          fi
+          mvn --batch-mode clean install -pl cmdline -am ${{ matrix.maven_profile }} -DskipTests
+        env:
+          BUF_INPUT_HTTPS_USERNAME: opentdf-bot
+          BUF_INPUT_HTTPS_PASSWORD: ${{ secrets.PERSONAL_ACCESS_TOKEN_OPENTDF }}
 
-          if [ "$(< metadata)" != 'here is some metadata' ]; then
-            printf 'metadata is incorrect [%s]\n' "$(< metadata)"
-            exit 1
-          fi
+      - name: Validate the SDK through the command line interface${{ matrix.label }}
+        run: |
+          ../.github/scripts/verify_cmdline_roundtrip.sh
         working-directory: cmdline
 
-      - name: Encrypt/Decrypt Assertions
+      - name: Encrypt/Decrypt Assertions${{ matrix.label }}
         run: |
-          echo "basic assertions"
-          echo 'here is some data to encrypt' > data
-
-          ASSERTIONS='[{"id":"assertion1","type":"handling","scope":"tdo","appliesToState":"encrypted","statement":{"format":"json+stanag5636","schema":"urn:nato:stanag:5636:A:1:elements:json","value":"{\"ocl\":\"2024-10-21T20:47:36Z\"}"}}]'
-
-          java -jar target/cmdline.jar \
-            --client-id=opentdf-sdk \
-            --client-secret=secret \
-            --platform-endpoint=http://localhost:8080 \
-            -h\
-            encrypt --kas-url=http://localhost:8080 --mime-type=text/plain --with-assertions=$ASSERTIONS --autoconfigure=false -f data -m 'here is some metadata' > test.tdf
-
-          java -jar target/cmdline.jar \
-            --client-id=opentdf-sdk \
-            --client-secret=secret \
-            --platform-endpoint=http://localhost:8080 \
-            -h\
-            decrypt -f test.tdf > decrypted
-
-          if ! diff -q data decrypted; then
-            printf 'decrypted data is incorrect [%s]' "$(< decrypted)"
-            exit 1
-          fi
-
-          HS256_KEY=$(openssl rand -base64 32)
-          openssl genpkey -algorithm RSA -out rs_private_key.pem -pkeyopt rsa_keygen_bits:2048
-          openssl rsa -pubout -in rs_private_key.pem -out rs_public_key.pem
-          RS256_PRIVATE_KEY=$(awk '{printf "%s\\n", $0}' rs_private_key.pem)
-          RS256_PUBLIC_KEY=$(awk '{printf "%s\\n", $0}' rs_public_key.pem)
-          SIGNED_ASSERTIONS_HS256='[{"id":"assertion1","type":"handling","scope":"tdo","appliesToState":"encrypted","statement":{"format":"json+stanag5636","schema":"urn:nato:stanag:5636:A:1:elements:json","value":"{\"ocl\":\"2024-10-21T20:47:36Z\"}"},"signingKey":{"alg":"HS256","key":"'$HS256_KEY'"}}]'
-          SIGNED_ASSERTION_VERIFICATON_HS256='{"keys":{"assertion1":{"alg":"HS256","key":"'$HS256_KEY'"}}}'
-          SIGNED_ASSERTIONS_RS256='[{"id":"assertion1","type":"handling","scope":"tdo","appliesToState":"encrypted","statement":{"format":"json+stanag5636","schema":"urn:nato:stanag:5636:A:1:elements:json","value":"{\"ocl\":\"2024-10-21T20:47:36Z\"}"},"signingKey":{"alg":"RS256","key":"'$RS256_PRIVATE_KEY'"}}]'
-          SIGNED_ASSERTION_VERIFICATON_RS256='{"keys":{"assertion1":{"alg":"RS256","key":"'$RS256_PUBLIC_KEY'"}}}'
-
-          echo "hs256 assertions"
-
-          java -jar target/cmdline.jar \
-            --client-id=opentdf-sdk \
-            --client-secret=secret \
-            --platform-endpoint=http://localhost:8080 \
-            -h\
-            encrypt --kas-url=http://localhost:8080 --mime-type=text/plain --with-assertions="$SIGNED_ASSERTIONS_HS256" --autoconfigure=false -f data -m 'here is some metadata' > test.tdf
-
-          java -jar target/cmdline.jar \
-            --client-id=opentdf-sdk \
-            --client-secret=secret \
-            --platform-endpoint=http://localhost:8080 \
-            -h\
-            decrypt --with-assertion-verification-keys="$SIGNED_ASSERTION_VERIFICATON_HS256" -f test.tdf > decrypted
-
-          if ! diff -q data decrypted; then
-            printf 'decrypted data is incorrect [%s]' "$(< decrypted)"
-            exit 1
-          fi
-
-          echo "rs256 assertions"
-
-          java -jar target/cmdline.jar \
-            --client-id=opentdf-sdk \
-            --client-secret=secret \
-            --platform-endpoint=http://localhost:8080 \
-            -h\
-            encrypt --kas-url=http://localhost:8080 --mime-type=text/plain --with-assertions "$SIGNED_ASSERTIONS_RS256" --autoconfigure=false -f data -m 'here is some metadata' > test.tdf
-
-          java -jar target/cmdline.jar \
-            --client-id=opentdf-sdk \
-            --client-secret=secret \
-            --platform-endpoint=http://localhost:8080 \
-            -h\
-            decrypt --with-assertion-verification-keys "$SIGNED_ASSERTION_VERIFICATON_RS256" -f test.tdf > decrypted
-
-          if ! diff -q data decrypted; then
-            printf 'decrypted data is incorrect [%s]' "$(< decrypted)"
-            exit 1
-          fi
+          ../.github/scripts/verify_assertions_basic.sh
+          ../.github/scripts/verify_assertions_hs256.sh
+          ../.github/scripts/verify_assertions_rs256.sh
         working-directory: cmdline
 
+
   platform-xtest:
     permissions:
       contents: read

cmdline/pom.xml

@@ -78,4 +78,19 @@
             <version>${project.version}</version>
         </dependency>
     </dependencies>
+    <profiles>
+        <profile>
+            <id>fips</id>
+            <activation>
+                <activeByDefault>false</activeByDefault>
+            </activation>
+            <dependencies>
+                <dependency>
+                    <groupId>io.opentdf.platform</groupId>
+                    <artifactId>sdk-fips-bouncycastle</artifactId>
+                    <version>${project.version}</version>
+                </dependency>
+            </dependencies>
+        </profile>
+    </profiles>
 </project>

cmdline/src/main/java/io/opentdf/platform/Command.java

@@ -10,7 +10,6 @@
 import com.google.gson.GsonBuilder;
 import com.google.gson.reflect.TypeToken;
 
-import java.security.cert.X509Certificate;
 import java.text.ParseException;
 import com.google.gson.JsonSyntaxException;
 import io.opentdf.platform.sdk.AssertionConfig;
@@ -19,11 +18,12 @@
 import io.opentdf.platform.sdk.KeyType;
 import io.opentdf.platform.sdk.SDK;
 import io.opentdf.platform.sdk.SDKBuilder;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import picocli.CommandLine;
 import picocli.CommandLine.HelpCommand;
 import picocli.CommandLine.Option;
 
-import javax.net.ssl.X509TrustManager;
 import java.io.BufferedInputStream;
 import java.io.BufferedOutputStream;
 import java.io.File;
@@ -63,7 +63,7 @@ class Versions {
 @CommandLine.Command(name = "tdf", subcommands = { HelpCommand.class }, version = "{\"version\":\"" + Versions.SDK
         + "\",\"tdfSpecVersion\":\"" + Versions.TDF_SPEC + "\"}")
 class Command {
-
+    private static final Logger LOG = LoggerFactory.getLogger(Command.class);
     @Option(names = { "-V", "--version" }, versionHelp = true, description = "display version info")
     boolean versionInfoRequested;
 
@@ -207,6 +207,7 @@ void encrypt(
             return ki;
         }).toArray(Config.KASInfo[]::new);
 
+
         List<Consumer<Config.TDFConfig>> configs = new ArrayList<>();
         configs.add(Config.withKasInformation(kasInfos));
         metadata.map(Config::withMetaData).ifPresent(configs::add);